{"id":25999,"date":"2025-09-29T13:24:51","date_gmt":"2025-09-29T21:24:51","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2025\/09\/29\/news-19718\/"},"modified":"2025-09-29T13:24:51","modified_gmt":"2025-09-29T21:24:51","slug":"news-19718","status":"publish","type":"post","link":"https:\/\/www.palada.net\/index.php\/2025\/09\/29\/news-19718\/","title":{"rendered":"Retail at risk:\u00a0How one alert uncovered a persistent cyberthreat\u200b\u200b"},"content":{"rendered":"

Credit to Author: Microsoft Incident Response| Date: Wed, 24 Sep 2025 17:00:00 +0000<\/strong><\/p>\n

In the latest edition of our Cyberattack Series, we dive into real-world cases targeting retail organizations. With 60% of retail companies reporting operational disruptions from cyberattacks and 43% experiencing security compromises in the past year, the risks for businesses continue to increase.1<\/sup> This post unpacks where a single alert led to the discovery of a major persistent cyberthreat, how cyberattackers exploited unpatched SharePoint vulnerabilities and compromised identities to infiltrate networks\u2014and how Microsoft Incident Response\u2013the Detection and Response Team (DART) swiftly stepped in with forensic insights and actionable guidance. Download the full report<\/a> to learn more about how one small signal exposed a much larger danger, and how you can strengthen your defenses against similar cyberthreats.<\/p>\n

\n
Download the full Cyberattack report<\/a><\/div>\n<\/p><\/div>\n

What happened?<\/h2>\n

The cases we\u2019re examining in detail spanned two parts\u2014Reactive 1 and Reactive 2. Reactive 1 began when a retail customer received a Microsoft Defender<\/a> Experts alert titled \u201cPossible web shell installation.\u201d The Investigation revealed a malicious ASPX file on their SharePoint server, linked to vulnerabilities CVE-2025-49706 and CVE-2025-49704. These allowed cyberattackers to spoof identities and inject remote code.<\/p>\n

Reactive 2 started with a single compromised identity. Cyberattackers gained persistence by abusing self-service password reset features and mapped the organization\u2019s identity structure using Microsoft Entra ID and Microsoft Graph API. The issue escalated access using Azure Virtual Desktop and Remote Desktop Protocol (RDP), deployed tools like PsExec and SQL Server Management Studio, and maintained control using Teleport, Azure CLI, and Rsocx proxy. Credential manipulation and directory exploration followed, confirmed by Entra ID risk events. The Detection and Response Team (DART) again provided expert support to contain and analyze the threat.<\/p>\n

In both cases, the customer engaged DART quickly, which helped validate the scope of the compromise and assess cyberattacker activity and persistence mechanisms.<\/p>\n

\n
\n

Insight: Identity management weakness<\/strong>
Lack of account separation between standard users and privileged users significantly increased the risk of lateral movement. Nine out of 20 accounts had elevated access without proper tiering.<\/p>\n<\/blockquote>\n<\/figure>\n

How did Microsoft respond?<\/h2>\n

DART swiftly addressed the two security incidents by executing a comprehensive set of actions aimed at restoring control, containing cyberthreats, and reinforcing long-term resilience. The team began by reclaiming identity systems\u2014both on-premises and cloud\u2014through Active Directory takeback and Entra ID isolation. It neutralized threat actor access by deprivileging compromised accounts, revoking tokens, and identifying persistence mechanisms like Teleport and multifactor authentication (MFA) device registration. Malicious web shells were detected and removed within hours, showcasing rapid containment capabilities.<\/p>\n

To investigate and remediate the incidents, Microsoft deployed proprietary forensic tools across critical infrastructure, enabling root cause analysis and operational recovery. The team also guided the affected organization through security configuration enhancements aligned with Zero Trust principles<\/a>, including MFA enforcement. Threat intelligence from Defender and Microsoft Sentinel<\/a> confirmed systemic identity compromise, prompting patching of vulnerable systems and a phased mass password reset with user identity re-attestation. Additionally, reverse engineering of ransomware revealed targeted attacks on ESXi directories, informing further mitigation strategies.<\/p>\n

\n
\n

New cyberattacker behavior<\/strong>
The cyberattacker used custom obfuscated web shells that bypassed basic detection, reinforcing the importance of behavioral analytics to detect rapidly evolving tactics.<\/p>\n<\/blockquote>\n<\/figure>\n

What can customers do to prepare?<\/h2>\n

In the case of Reactive 1, we recommended critical security actions to fortify on-premises SharePoint environments and minimize exposure to known vulnerabilities, something we recommend for all customers. Customers can reduce their risk by deploying endpoint detection and response (EDR) across all devices, conducting regular vulnerability scans, and strengthening identity and access controls. Centralized logging and threat intelligence should also be implemented, along with preserving evidence and maintaining a robust incident response plan. Tools to monitor behavioral anomalies, suspicious processes, and malware indicators are increasingly necessary to protect against today\u2019s threat actors.<\/p>\n

Patching promptly\u2014especially for known exploited vulnerabilities\u2014remains a key defense for customers. Regular security hygiene practices\u2014like enforcing MFA across all accounts, removing inactive credentials, and applying least privileged access principles\u2014can improve defenses in real time as threats change fast.<\/p>\n

\n
\n

The increasing speed of cyberattacks<\/strong>
The speed of the attacker was notable. We observed \u201chands-on keyboard\u201d behavior within moments of compromise, highlighting the importance of real-time detection and response.<\/p>\n<\/blockquote>\n<\/figure>\n

\n
\n
\n
\n
\n

Secure your spot<\/h2>\n

Ready to strengthen your security strategy for the AI era? Register now for Microsoft Secure<\/a>, on September 30, to explore the latest AI-first solutions. Then, join us at Microsoft Ignite<\/a>\u2014November 17\u201321 in San Francisco, CA or online\u2014to deep dive into more innovations, connect with industry experts, experience hands-on labs, and earn certifications.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n

\n
\t\t\t\t\t\t\t\t\t\t\t\"Microsoft\t\t\t\t\t\t\t\t\t<\/div>\n<\/p><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<\/p><\/div>\n

What is the Cyberattack Series?<\/h2>\n

With our Cyberattack Series, customers discover how DART investigates unique and notable cyberattacks. For each cyberattack story, we share:<\/p>\n